Share
# Exploit Title: Veyon 4.3.4 - 'VeyonService' Unquoted Service Path  
# Discovery by: Víctor García  
# Discovery Date: 2020-03-23  
# Vendor Homepage: https://veyon.io/  
# Software Link:  
https://github.com/veyon/veyon/releases/download/v4.3.4/veyon-4.3.4.0-win64-setup.exe  
# Tested Version: 4.3.4  
# Vulnerability Type: Unquoted Service Path  
# Tested on: Windows 10 Pro x64  
  
# Step to discover Unquoted Service Path:  
  
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"  
|findstr /i /v "C:\Windows\\" |findstr /i /v """  
Veyon Service VeyonService C:\Program Files\Veyon\veyon-service.exe  
  
  
# Service info:  
  
C:\>sc qc VeyonService  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: VeyonService  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Program Files\Veyon\veyon-service.exe  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : Veyon Service  
DEPENDENCIES : Tcpip  
: RpcSs  
SERVICE_START_NAME : LocalSystem  
  
  
# Exploit:  
  
# A successful attempt would require the local user to be able to insert their code in the  
# system root path undetected by the OS or other security applications where it could  
# potentially be executed during application startup or reboot. If successful, the local  
# user's code would execute with the elevated privileges of the application.